It sets an access flag that gets checked later on. This is the first password check, seem familiar? It's the one that we saw in the screenshot above 0x0214 to 0x71. How much of the firmware survives is another question.Ī couple of hours of staring at unfamiliar assembly code later, here are the relevant parts for entering the Boot ROM with annotations: The only good thing about this method is that even if you have 0 knowledge about whether there even IS a method for entering the Boot ROM in the firmware let alone what it is there's still a high chance that you'll get in.
So when in doubt and you have nothing to lose, act like a caveman, I guess? But I did manage to reproduce the result on another chip using the same procedure. The good news though? (If we're lucky) We get 99% of the firmware, and thanks to Charlie Miller we have a disassembler(zip) for it.ĭid messing with Pin #28 even have an effect? Could it just have been the erratic resetting of the chip that triggered the malfunction? Did I short VCELL+ to Pin28 while messing about? Was there high voltage on VCELL+? Was it just ESD? (I wasn't really bothered by the chip dying as this was one of 2 sacrificial controller boards I kept just for messing around with.)Īnd the results? Apparently we can corrupt (ideally just) the first couple of blocks of flash if we bully PIN #28 while the chip is trying to start up. Is the chip fried? It's at this point that I coded up the flash tool to try and read the flash contents.
0 kommentar(er)
